Data Processing Terms
Last updated: 28 April 2026
These Data Processing Terms describe how MissionPay ("we", "us", the "Processor") processes personal information on behalf of churches and other organisations using the MissionPay platform ("Customer", "you", the "Controller"). They form part of the Terms of Service and apply automatically to every organisation operating an active church account.
These terms are written to support the obligations of organisations under the Privacy Act 1988 (Cth) and Australian Privacy Principles, and are compatible with GDPR-style controller/processor expectations for organisations that process the data of EU or UK residents.
1. Roles
For donor personal information that flows through MissionPay (donor name, email, donation history attributed to a particular church), the church is the Controller and MissionPay is the Processor. We process donor data on the church's instructions, as configured through the platform.
For platform-level data (the church's own admin user accounts, the configuration of funds and campaigns, security and audit logs of platform usage), MissionPay is the independent Controller.
2. Subject matter and duration
We process donor personal information for the duration of your church account, plus the retention windows described in our Privacy Policy (notably the seven-year financial-records retention required by the ATO).
3. Categories of data subjects and personal data
Data subjects: donors and prospective donors of the church.
Categories of personal data we process on the church's behalf:
- identifiers — name, email, phone (if supplied);
- financial data — donation amounts, frequency, fund and campaign attribution, recurring schedule status, refunds and chargebacks;
- derived data — tax receipts, recurring giving statements, donor lifetime value;
- communication preferences — email opt-in flags;
- limited technical data attached to security events — IP and user-agent in security alert emails sent to the donor.
We do not process card numbers, CVVs, or full bank account numbers — those are entered directly into Stripe and never reach our systems.
4. Nature and purpose of processing
We process donor personal information solely to:
- accept donations on behalf of the church via Stripe;
- generate and email tax receipts and recurring statements;
- provide the donor with a self-service portal showing their giving history;
- provide the church with a dashboard, donor list, and reporting on donations;
- send transactional emails (donation confirmation, payment failed, recurring giving cancelled);
- protect the platform from fraud and abuse;
- comply with legal obligations (tax record-keeping, audit, lawful disclosure requests).
We do not use donor personal information for our own marketing purposes, do not sell it, do not share it with advertisers, and do not use it to train AI models.
5. Sub-processors
MissionPay engages the following categories of sub-processor to deliver the Service. Each is bound by written confidentiality and security obligations comparable to those described in these terms:
| Category | Purpose | Region |
|---|---|---|
| Stripe | Payment processing, payouts, fraud detection | Australia (with global processing per Stripe's terms) |
| Application hosting | Runs the MissionPay application servers | Australia |
| Database hosting | Stores account, donation, and receipt records | Australia |
| Object storage | Hosts uploaded media (logos, hero images) | Australia |
| Transactional email | Delivers donation confirmations, receipts, and security notifications | Global (TLS in transit) |
| Document rendering | HTML-to-PDF conversion for tax receipts | Australia |
| Caching / rate limiting | Cross-instance security counters | Australia |
A current list of named sub-processors is available to Church Admins on request. We may add or replace sub-processors from time to time; material changes are notified to Church Admins by email.
6. International transfers
Donor data is primarily stored and processed in Australia. Limited cross-border transfers occur where global services are inherent to the Service — most notably the payment network (which operates globally for fraud detection and settlement) and the transactional email service used to deliver receipts and notifications. All such transfers are encrypted in transit.
Where the donor is an EU/UK resident and these transfers leave the EU/UK, we rely on Standard Contractual Clauses with the relevant sub-processor.
7. Security measures
MissionPay maintains technical and organisational security measures appropriate to the sensitivity of the data we process. These include encryption of sensitive data in transit and at rest, modern password hashing, multi-factor authentication for administrators, role-based access controls between donors and admin tiers, cross-site request protection and rate limiting on sensitive endpoints, fail-closed boot configuration in production, dependency-vulnerability scanning in our build pipeline, and audit logging of sensitive administrative actions.
Detailed security documentation is available to Church Admins and enterprise customers on request, under reasonable confidentiality undertakings.
8. Personal data breach
If we become aware of a personal data breach affecting donor data we process on behalf of churches, we will:
- notify affected Church Admins without undue delay (and within 72 hours where the breach is likely to result in serious harm), with the information needed for the church to meet its own notification obligations under the Notifiable Data Breaches scheme;
- investigate the cause, contain the breach, and apply remediation;
- cooperate with the church's reasonable requests for information needed to assess and respond to the breach.
Breach reports should be sent to security@missionpay.com.au.
9. Data subject rights
Donors can exercise their rights of access, correction, and erasure directly through their MissionPay donor account or by contacting us at privacy@missionpay.com.au. Where a donor contacts the church directly, we will assist the church to fulfil the request within reasonable timeframes.
Erasure requests are reviewed by a platform Super Admin and processed within seven days. Personal identifiers (name, email, phone, payer email, password, 2FA secrets) are scrubbed; financial records (donation amount, fund, church, timestamps, Stripe IDs, tax receipts) are retained without donor identification for the seven-year ATO retention window.
10. Audit and assurance
On reasonable request, MissionPay will provide Church Admins with a summary of the controls described in this document, our most recent dependency-audit results, and a high-level description of our security architecture. We will accommodate reasonable customer audit requests where these do not compromise the security or commercial confidentiality of the platform.
11. Return or deletion of data on termination
On termination of a church account, you may request a JSON or CSV export of donor and donation data attributed to your church. After export — or after the statutory retention windows expire if no export is requested — donor personal information attributed to your church is scrubbed in line with our retention schedule.
12. Liability
Liability arising under these Data Processing Terms is governed by, and is subject to the limitations set out in, our Terms of Service.
13. Changes
We may update these terms from time to time. The "Last updated" date reflects the most recent change. Material changes will be notified to Church Admins by email.
14. Contact
For data-processing questions and DPA-related correspondence: privacy@missionpay.com.au. For security incidents: security@missionpay.com.au.